This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, commonly referred to as Cross‑Site Scripting (CWE-79). The Video Player and Slider plugin fails to sanitize user‑supplied data before embedding it in the browser’s HTML, allowing an attacker to inject malicious JavaScript. When a victim visits a crafted URL or interacts with the plugin, the injected script runs in the victim’s browser. The attacker could steal session cookies, deface the site, or redirect users to malicious domains. The flaw is reflected – the data is returned unchanged – so it can be triggered by a single malicious request and does not rely on stored data or authentication.

LambertGroup’s WordPress Youtube Vimeo Video Player and Slider plugin, all releases up to and including version 3.8. Any WordPress site that has this plugin installed and has not upgraded to a newer version is potentially vulnerable.

The CVSS base score of 7.1 places this issue in the high‑to‑critical range, indicating that successful exploitation would compromise confidentiality, integrity, and availability for users who view the vulnerable page. The EPSS score is reported as less than 1 %, signaling that, as of the last data point, the likelihood of real‑world exploitation is low, and the vulnerability has not yet appeared in the CISA KEV catalog. Nevertheless, because the attack requires only a crafted URL and can be triggered remotely, it remains a serious threat. Operators should expect that an attacker could exploit it from anywhere, provided the plugin is enabled and public pages are reachable.